Internet Explorer is the next battleground for Microsoft in its goal of securing the Windows stack against an anticipated avalanche of script-based attacks.
And the company appears to be putting out the feelers to the community in order to get there.
David Cross, Microsoft product unit manager, told RSA generic application- …

COMMENTS

History Repeating Itself (again)

Leaving aside for a moment the irony of the headline "Microsoft asking for help to fix its own buggy software", does it not strike anyone else that this whole Web2 (or indeed Web1) business has all been done before and rejected?

Back in the old days, someone came up with the clever idea of RPCs (Remote Procedure Calls). Great idea - you could get computer A to execute a program on computer B just by asking it. Any program you like, if you configured it that way. A great idea. Until someone pointed out that actually it represented a gaping security and stability risk!

Fast forward, oh, I dunno..., 20 years? And we have web browsers executing all manner of crud downloaded from a multitude of remote servers somewhere. Is it any wonder at all that there is a security / stability problem? The model is fundamentally insecure by design and it can only get worse.

And the answer is? I don't think there is one, except to stop using this model, push more of the functionality back to the server (thin clients anyone?) and if (I say IF) you want to accept that you need _some_ kind of scripting on the client, reduce its scope considerably to just some very basic, restricted operations that can be easily verified not to cause a problem or open up a security hole. Or better still, get rid of the scripting all together and build this functionality into the browser / comms protocol where it can't be tampered with.

@TeeCee

Why not fix the obvious?

The fundamental problem is that Microsoft wants to execute code on your machine as a superuser. If they could just see the stupidity of even trying to do this then we'd all breathe a bit easier.

RPC should be an OK mechanism provided you're careful about what you're offering. You know these guys want you do not only load executable code but offer an external interface to it. Instead of fixing the obvious they're trying to change the universe around their design flaw.

@Rich

"push more of the functionality back to the server (thin clients anyone?)"

Great idea, alas in the real world it just doesn't work. For some specific applications/processes this idea does work very well (banks, call centers etc) but in a 'normal' office or home environment it is far too complex. Not only from a software POV but the physical infrastructure that is needed as well.

"Or better still, get rid of the scripting all together and build this functionality into the browser / comms protocol where it can't be tampered with."

But it can be tampered with, a lot of the (far more complex) attacks manage to dig under the skin and change these parts of applications.

The sad truth is that no OS is going to be secure - ever. And you have to balance security with useability, unfortunatly as long as the many thousands of 'script kiddies' out there carry on doing what they do (which is not a lot, they just use code that an inteligent person has already written) the situation won't get any better.

As for all the shite that browsers download on a daily basis the only way that will ever get better is to educate people - but we all know that the average computer user these days hasn't got a clue, hell even when a website makes it very clear that your downloading an application that will dial a premium rate, international phone number they still download it!!!

Guess we can only hope that people will eventually get wise...untill then we all have to be extra careful!